CVE-2026-41574

Name of the Vulnerable Software and Affected Versions Nhost versions prior to 0.49.1

Description Nhost automatically links incoming OAuth identities to existing accounts when email addresses match, provided the email is marked as verified. Several provider adapters fail to correctly populate the profile.EmailVerified boolean, leading to potential account takeover. Specifically, the Discord adapter ignores the verified field from the API, and the Bitbucket adapter falls back to using unconfirmed emails while marking them as verified. Additionally, the AzureAD and EntraID adapters derive emails from non-ownership-proving fields, such as the user principal name, and mark them as verified regardless of actual ownership. This allows an attacker to use an email they do not own to merge their OAuth identity into a victim's account and obtain a full authenticated session.

Technical details include the following:

Recommendations Update to version 0.49.1. As a temporary workaround, restrict the use of Discord, Bitbucket, AzureAD, and EntraID as OAuth providers until the update is applied.